bcrypt-nodejs.compare always returns false

Question

I am setting up a login using node.js, bcrypt, sequelize, and passport and I've followed the documentation online but for some reason the .compare function always returns false even when I know the passwords match.

In my model I added a beforCreate hook to encrypt the password:

beforeUpdate: function(user, options, fn) {
    encryptPassword(user, options, fn);
}

encryptPassword function:

encryptPassword = function(user, options, fn) {
    if (!user.changed('password'))
        return fn();

    bcrypt.hash(this.password, null, null, function(err, hash) {
        if (err) return fn(err);
        user.password = hash;
        fn();
    });
}

My controller where I create the user:

User
    .create({
        username: req.body.username,
        password: req.body.password
    })
    .then(function() {
        res.json({
            message: 'New beer drinker added to the locker room!'
        });
    });

That works great, the user is stored in my DB with the hashed password.

Now I try to log the user in using passport

passport.use(new BasicStrategy(
    function(username, password, callback) {
        User
            .find({
                where: {
                    username: username
                }
            })
            .then(function(user) {
                // No user found with that username
                if(!user) return callback(null, false);

                // Make sure the password is correct
                user.verifyPassword(password, function(err, isMatch) {
                    if(err) return callback(err);

                    // Password did not match
                    if(!isMatch) return callback(null, false);

                    // Success
                    return callback(null, user);
                });
            })
            .catch(function(err) {
                return callback(err);
            });
    }
));

This process calls user.verifyPassword which is an instanceMethod of my user model.

verifyPassword: function(password, callback) {
    bcrypt.compare(password, this.password, callback);
}

However the callback is always false regardless of if the passwords match or not. Does anyone have any ideas what I'm doing wrong? I tried to switch to bcrypt but I couldn't get it to install because node-gyp rebuild always fails complaining it can't find the env variable for python which I've installed. Plus I don't want to have a huge pain in the ass trying to get the server developers to set up a server with all of the dependencies and stuff of the normal bcrypt.

Answer 1

When encrypting the password I was using this.password which was undefined. I needed to use user.password to get the current password.

bcrypt.hash(user.password, null, null, function(err, hash) {
    if (err) return fn(err);
    user.password = hash;
    fn();
});

Answer 2

You're not actually passing the password to the verifyPassword function.

user.verifyPassword(password, function(err, isMatch) {
   ...              ^^^^^^^^
});`

that password variable isn't actually defined. When you are in the .then() function you have access to the object that is returned from the database. Whether it is a single result or a result set.

user.verifyPassword(user.password, function(err, isMatch) { ... });
                    ^^^^^^^^^^^^^

You'll have to access the data inside the object that you get back from the .findAll() query.

Hope this helps.